Is g0head/kicad-pcb safe?

https://github.com/openclaw/skills/tree/main/skills/g0head/kicad-pcb

85
SAFE

The g0head/kicad-pcb skill is a legitimate KiCad PCB design automation tool that wraps kicad-cli to create schematics, run DRC/ERC checks, export Gerber files, and estimate manufacturing costs locally. The SKILL.md contains no prompt injection and the Python implementation has no active data exfiltration code in its current v1.0.0 release. The primary risk is forward-looking: pcbway-upload and pcbway-cart are documented as planned features with no current implementation, meaning a future update could introduce outbound transmission of user design files to an external service without triggering re-audit of the already-trusted skill. Secondary concerns include bare exception suppression in config handling and an open subcommand that resolves arbitrary filesystem paths without restriction.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 76/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (7)

MEDIUM Documented pcbway-upload and pcbway-cart commands have no implementation—future exfiltration surface -18

SKILL.md documents two PCBWay integration commands—pcbway-upload (upload Gerbers) and pcbway-cart (add to cart)—with a note that 'Future: Automated upload + cart placement' is planned. Neither command has a corresponding function in kicad_pcb.py v1.0.0. Once trusted and installed, any future update adding this logic could silently transmit user design files (Gerbers, drill files, BOM, 3D models) to an external service without triggering re-audit. The skill already holds the Gerber packaging pipeline (package-for-fab creates a ZIP of all fab files).

LOW Executable Python ships with silent exception suppression masking runtime failures -8

kicad_pcb.py includes multiple bare except:pass clauses that catch and discard all exceptions. This means file-not-found, permission errors, and JSON parse failures are silently ignored, returning None to callers. This pattern makes it difficult to audit whether the subprocess behaved as expected and could mask unexpected behavior introduced by future modifications.

LOW kicad-cli resolved via PATH at import time—hijackable in compromised environment -16

The module-level constant KICAD_CLI = shutil.which('kicad-cli') or '/usr/bin/kicad-cli' resolves at import, not at each invocation. If another skill or a compromised environment inserts a malicious binary named kicad-cli earlier in PATH before this module is first imported, all subsequent subprocess calls will execute the attacker binary with user-supplied arguments.

LOW open subcommand resolves arbitrary filesystem paths with no working-directory restriction -12

The cmd_open() function accepts any path string from the agent and resolves it with Path(args.path).resolve(). There is no check that the resolved path is within a designated projects directory. An agent directed to open /etc or /home/user could reveal the existence and directory structure of sensitive locations, even if the skill cannot read file contents directly.

LOW PCBWay credentials stored in plaintext JSON with default filesystem permissions -8

SKILL.md instructs users to create ~/.kicad-pcb/config.json containing their PCBWay email. The save_config() function writes this file with json.dump under default umask permissions, which on many systems creates a world-readable file. Over time this config file may accumulate additional credentials as PCBWay auth is implemented.

INFO Canary files opened/accessed but not modified; timing consistent with audit infrastructure -12

Filesystem monitoring (inotifywait) recorded OPEN+ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 09:59:31, approximately 6 seconds before the git clone began at 09:59:37. A second batch of auditd PATH records for the same files appears at timestamp 1771927195.424 (post-install). The Python skill code contains no reference to these paths. EXECVE logs show no python3 invocation of kicad_pcb.py during the session. Both batches are consistent with the oathe audit system placing honeypot files and performing post-install canary verification. Canary integrity check confirms all files unmodified.

INFO External author attribution URL embedded in SKILL.md -10

The SKILL.md footer contains a markdown hyperlink to moltbook.com/agent/PaxSwarm. When the skill is injected into an LLM agent's system prompt, this URL is present in the context. No instruction to fetch or visit the URL is included, and most modern agent frameworks would not auto-fetch it, but it represents a low-level prompt surface.